On March 1st, 2017, the New York State Department of Financial Services put into effect new cybersecurity requirements of its ‘covered entities’. Those entities include banks, trusts, budget planners, check cashers, credit unions, money transmitters, licensed lenders, mortgage brokers or bankers, and insurance companies that do business in New York.
Within the next 180 days (starting from March 1st 2017), organizations must ensure they have a comprehensive Cybersecurity Program in place, supported by written and implemented Cybersecurity Policies. They also need to limit user access privileges to Information Systems providing access to “Nonpublic Information”. Over the course of the next 12 months full compliance with NYCRR 500 is mandatory, requiring the Chairperson of the Board or Senior Officer of the company is required to sign and file a Certificate of Compliance.
Section | Title | Transition Period | |||
---|---|---|---|---|---|
180-Days | 12-Months | 18-Months | 24-Months | ||
500.02 | Cybersecurity Program | ✔ | |||
500.03 | Cybersecurity Policy | ✔ | |||
500.04 | Chief Information Security Officer | ✔ | |||
500.06 | Audit Trail | ✔ | |||
500.07 | Access Privileges | ✔ | |||
500.09 | Risk Assessment | ✔ | |||
500.13 | Limitations on Data Retention | ✔ |
Today I want to focus on what is arguably one of the most important sections, access privileges to Information Systems providing access to “Nonpublic Information”. For many organizations, Active Directory (AD) is the solution that provides privileged access to Nonpublic information. The problem is, it’s become difficult to manage due to many reasons. For example, a migrated directory is inherited from another technology managed by a large number of people with no defined process for day-to-day operations. Unfortunately to those involved in managing AD, cleaning it up may sound like a novel idea, but the potential to introduce unknown problems into the equation proved to be a great barrier in beginning the process. Nonetheless, with the introduction of NYCRR 500, organizations have to tackle this challenge.
Here are 4 steps for ensuring NYCRR 500 compliance:
Identify and clean up stale users, stale computers, and empty and duplicate groups, keeping track of your progress in de-provisioning workflows.
Identify who is in what group, including sensitive groups—and where groups are nested or have broken group membership (circular nesting). Then, report on and remediate these issues.
Discover where groups have access, and what level of access, so you can map Active Directory to the business structure. This process helps you close down open shares and implement least privileged access to better protect your data and resources.
Look at all groups and users assigned to them, determine the manager of the resource, and provide information about the owner. This will you to identify, assign, and involve business data managers so they can provision access.
STEALTHbits can automate the reporting that accompanies every audit and put effective controls in place to ensure those reports have only the news you want your auditor to see.
Find out more by visiting our NYCRR 500 Solution page.
Gabriel Gumbs is the VP of Product Strategy at STEALTHbits Technologies responsible for end-to-end product vision and innovation. With a 16 year tenure in CyberSecurity, he has spent most of that time as a security practitioner, aligning security innovations with business objectives for Fortune 100 organizations. Gabriel is an information security thought leader, privacy advocate and public speaker.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.
Read more© 2022 Stealthbits Technologies, Inc.
Leave a Reply